WordPress.org

Make WordPress Core

Ticket #24783: 24783.2.diff

File 24783.2.diff, 4.0 KB (added by nacin, 6 years ago)

Maybe increase the key length to 30?

  • wp-login.php

     
    197197 * @return bool|WP_Error True: when finish. WP_Error on error
    198198 */
    199199function retrieve_password() {
    200         global $wpdb, $current_site;
     200        global $wpdb, $current_site, $wp_hasher;
    201201
    202202        $errors = new WP_Error();
    203203
     
    236236        else if ( is_wp_error($allow) )
    237237                return $allow;
    238238
    239         $key = $wpdb->get_var($wpdb->prepare("SELECT user_activation_key FROM $wpdb->users WHERE user_login = %s", $user_login));
    240         if ( empty($key) ) {
    241                 // Generate something random for a key...
    242                 $key = wp_generate_password(20, false);
    243                 do_action('retrieve_password_key', $user_login, $key);
    244                 // Now insert the new md5 key into the db
    245                 $wpdb->update($wpdb->users, array('user_activation_key' => $key), array('user_login' => $user_login));
     239        // Generate something random for a key...
     240        $key = wp_generate_password( 30, false );
     241        do_action( 'retrieve_password_key', $user_login, $key );
     242        // Now insert the key, hashed, into the DB
     243        if ( empty( $wp_hasher ) ) {
     244                require_once ABSPATH . 'wp-includes/class-phpass.php';
     245                $wp_hasher = new PasswordHash( 8, true );
    246246        }
     247        $hashed = $wp_hasher->HashPassword( $key );
     248        $wpdb->update( $wpdb->users, array( 'user_activation_key' => $hashed ), array( 'user_login' => $user_login ) );
     249
    247250        $message = __('Someone requested that the password be reset for the following account:') . "\r\n\r\n";
    248251        $message .= network_home_url( '/' ) . "\r\n\r\n";
    249252        $message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n";
     
    276279 *
    277280 * @param string $key Hash to validate sending user's password
    278281 * @param string $login The user login
    279  * @return object|WP_Error User's database row on success, error object for invalid keys
     282 * @return WP_User|WP_Error WP_User object on success, WP_Error object for invalid keys
    280283 */
    281284function check_password_reset_key($key, $login) {
    282         global $wpdb;
     285        global $wpdb, $wp_hasher;
    283286
    284287        $key = preg_replace('/[^a-z0-9]/i', '', $key);
    285288
     
    289292        if ( empty($login) || !is_string($login) )
    290293                return new WP_Error('invalid_key', __('Invalid key'));
    291294
    292         $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE user_activation_key = %s AND user_login = %s", $key, $login));
    293 
    294         if ( empty( $user ) )
     295        $row = $wpdb->get_row( $wpdb->prepare( "SELECT ID, user_activation_key FROM $wpdb->users WHERE user_login = %s", $login ) );
     296        if ( ! $row )
    295297                return new WP_Error('invalid_key', __('Invalid key'));
    296298
    297         return $user;
     299        if ( empty( $wp_hasher ) ) {
     300                require_once ABSPATH . 'wp-includes/class-phpass.php';
     301                $wp_hasher = new PasswordHash( 8, true );
     302        }
     303
     304        if ( $wp_hasher->CheckPassword( $key, $row->user_activation_key ) )
     305                return get_userdata( $row->ID );
     306
     307        if ( $key === $row->user_activation_key )
     308                return new WP_Error('expired_key', __('Invalid key'));
     309
     310        return new WP_Error('invalid_key', __('Invalid key'));
    298311}
    299312
    300313/**
     
    440453                }
    441454        }
    442455
    443         if ( isset($_GET['error']) && 'invalidkey' == $_GET['error'] ) $errors->add('invalidkey', __('Sorry, that key does not appear to be valid.'));
     456        if ( isset( $_GET['error'] ) ) {
     457                if ( 'invalidkey' == $_GET['error'] )
     458                        $errors->add( 'invalidkey', __( 'Sorry, that key does not appear to be valid.' ) );
     459                elseif ( 'expiredkey' == $_GET['error'] )
     460                        $errors->add( 'expiredkey', __( 'Sorry, that key has expired. Please try again.' ) );
     461        }
     462
    444463        $redirect_to = apply_filters( 'lostpassword_redirect', !empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '' );
    445464
    446465        do_action('lost_password');
     
    476495        $user = check_password_reset_key($_GET['key'], $_GET['login']);
    477496
    478497        if ( is_wp_error($user) ) {
    479                 wp_redirect( site_url('wp-login.php?action=lostpassword&error=invalidkey') );
     498                if ( $user->get_error_code() === 'expired_key' )
     499                        wp_redirect( site_url( 'wp-login.php?action=lostpassword&error=expiredkey' ) );
     500                else
     501                        wp_redirect( site_url( 'wp-login.php?action=lostpassword&error=invalidkey' ) );
    480502                exit;
    481503        }
    482504